Login   |   1.866.392.4897 |   sales@timesys.com        English Japanese German French Korean Chinese (Simplified) Chinese (Traditional)

Why do I need Software Composition Analysis (SCA) specialized for Embedded Systems?

  • Fixes blind spots in common Binary Scanners and Source Scanners
  • Produces more accurate Software Bill of Materials for embedded Linux & open source components
  • Enables more accurate vulnerability detection with fewer false positives and fewer missed vulnerabilities
  • Build system-based SCA produces more efficient and simpler vulnerability detection and remediation

Software Composition Analysis (SCA) is an essential function for understanding the components in your software and monitoring vulnerability disclosures to identify security issues.

SCA tools generate a Software Bill of Materials (SBOM) showing which software components are present in a particular product.

But common SCA tools have serious blind spots when it comes to embedded Linux and other open source, third-party software used in building embedded systems. These blind spots make security maintenance much harder and more complex.

  • Binary scanners
    • No metadata in binaries about patching or configurations, so fixed or irrelevant vulnerabilities are still reported as active.
    • Sometimes a component or version cannot be determined based on a binary signature, so the SBOM is inaccurate.
  • Source scanners
    • Cannot identify which packages are actually installed in a given product so they report all packages as installed.
    • Cannot collect build artifacts such as patches, kernel configurations so they result in highly inaccurate vulnerability reports.

Results of the SCA blind spots:
many false positives and missed vulnerabilities

SCA blind spots


Build-system based SCA fixes blind spots

In response to the need for better SBOMs for embedded system products, we have created the industry’s first SCA solution that is optimized for embedded systems, the Timesys Vigiles® Vulnerability Management Suite.

Vigiles addresses the SCA blind spots because it is integrated with your Yocto, Buildroot or Timesys Factory build system:

  • Extracts SBOM from build system to capture metadata
    • Configurations enabled (e.g., drivers enabled in Linux kernel)
    • List of vulnerabilities already addressed in applied patches
    • Hardware platform information
  • Filters vulnerabilities based on more accurate SBOM
    • Reporting “unfixed” vulnerabilities applicable to “your hardware platform” based on “enabled configurations”
    • Can cut reported vulnerabilities by up to 75% — huge reduction in level of effort

SBOM Generation Comparison

Feature
Build system based
Binary scan
Source scan
SBOM generation accuracy
Best
Good
Poor
Vulnerability metadata for generating accurate reports – based on patches applied, configurations and hardware info
Best
Poor
Good
Integration into the developer workflow
Best
Poor
Poor

What Vigiles Users Are Saying

Free SCA for Embedded evaluation checklist

SCA tools evaluation checklist

Timesys has compiled an evaluation checklist that delineates the required features and provides details to aid in the evaluation of SCA tools. Our complimentary evaluation checklist for SCA for Embedded Systems provides you with a detailed listing of 32 features, capabilities and requirements that are essential for efficient embedded system security maintenance.

The checklist covers topics including:

  • SBOM accuracy
  • Vulnerability data quality
  • Ease of monitoring
  • Filters
  • Triage tools
  • Remediation tools
  • Workflow

Fill out the form to get your copy of the checklist.

Want to learn more about vulnerability management and SCA for embedded systems?
Be sure to check out the comments from our CTO, Akshay Bhat.
Vulnerability Tools for Embedded

* Denotes required field.